/*     */ package com.zimbra.cs.account.accesscontrol;
/*     */ 
/*     */ import com.zimbra.common.account.Key.CalendarResourceBy;
/*     */ import com.zimbra.common.account.Key.CosBy;
/*     */ import com.zimbra.common.account.Key.DomainBy;
/*     */ import com.zimbra.common.service.ServiceException;
/*     */ import com.zimbra.common.util.EmailUtil;
/*     */ import com.zimbra.common.util.Log;
/*     */ import com.zimbra.common.util.StringUtil;
/*     */ import com.zimbra.common.util.ZimbraLog;
/*     */ import com.zimbra.cs.account.AccessManager;
/*     */ import com.zimbra.cs.account.AccessManager.AttrRightChecker;
/*     */ import com.zimbra.cs.account.AccessManager.ViaGrant;
/*     */ import com.zimbra.cs.account.Account;
/*     */ import com.zimbra.cs.account.AuthToken;
/*     */ import com.zimbra.cs.account.Cos;
/*     */ import com.zimbra.cs.account.Domain;
/*     */ import com.zimbra.cs.account.DomainAccessManager;
/*     */ import com.zimbra.cs.account.Entry;
/*     */ import com.zimbra.cs.account.Group;
/*     */ import com.zimbra.cs.account.Group.GroupOwner;
/*     */ import com.zimbra.cs.account.GuestAccount;
/*     */ import com.zimbra.cs.account.MailTarget;
/*     */ import com.zimbra.cs.account.Provisioning;
/*     */ import com.zimbra.cs.account.accesscontrol.generated.UserRights;
/*     */ import com.zimbra.cs.account.names.NameUtil.EmailAddress;
/*     */ import java.util.Arrays;
/*     */ import java.util.HashSet;
/*     */ import java.util.Map;
/*     */ import java.util.Set;
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ public class ACLAccessManager
/*     */   extends AccessManager
/*     */   implements AdminConsoleCapable
/*     */ {
/*     */   public ACLAccessManager()
/*     */     throws ServiceException
/*     */   {
/*  55 */     RightManager.getInstance();
/*     */   }
/*     */   
/*     */   public boolean isAdequateAdminAccount(Account acct)
/*     */   {
/*  60 */     return (acct.getBooleanAttr("zimbraIsDelegatedAdminAccount", false)) || (acct.getBooleanAttr("zimbraIsAdminAccount", false));
/*     */   }
/*     */   
/*     */   private Account actualTargetForAdminLoginAs(Account target) throws ServiceException
/*     */   {
/*  65 */     if (target.isCalendarResource())
/*     */     {
/*  67 */       return Provisioning.getInstance().get(Key.CalendarResourceBy.id, target.getId());
/*     */     }
/*  69 */     return target;
/*     */   }
/*     */   
/*     */   private AdminRight actualRightForAdminLoginAs(Account target)
/*     */   {
/*  74 */     if (target.isCalendarResource()) {
/*  75 */       return Rights.Admin.R_adminLoginCalendarResourceAs;
/*     */     }
/*  77 */     return Rights.Admin.R_adminLoginAs;
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */   public boolean isDomainAdminOnly(AuthToken at)
/*     */   {
/*  84 */     return false;
/*     */   }
/*     */   
/*     */ 
/*     */   public boolean canAccessAccount(AuthToken at, Account target, boolean asAdmin)
/*     */     throws ServiceException
/*     */   {
/*  91 */     if (!StringUtil.equal(at.getAccount().getDomainId(), target.getDomainId())) {
/*  92 */       checkDomainStatus(target);
/*     */     }
/*     */     
/*  95 */     if (isParentOf(at, target)) {
/*  96 */       return true;
/*     */     }
/*     */     
/*  99 */     if (asAdmin) {
/* 100 */       return canDo(at, actualTargetForAdminLoginAs(target), actualRightForAdminLoginAs(target), asAdmin);
/*     */     }
/*     */     
/* 103 */     return canDo(at, target, Rights.User.R_loginAs, asAdmin);
/*     */   }
/*     */   
/*     */   public boolean canAccessAccount(AuthToken at, Account target)
/*     */     throws ServiceException
/*     */   {
/* 109 */     return canAccessAccount(at, target, true);
/*     */   }
/*     */   
/*     */ 
/*     */   public boolean canAccessAccount(Account credentials, Account target, boolean asAdmin)
/*     */     throws ServiceException
/*     */   {
/* 116 */     checkDomainStatus(target);
/*     */     
/* 118 */     if (isParentOf(credentials, target)) {
/* 119 */       return true;
/*     */     }
/*     */     
/* 122 */     if (asAdmin) {
/* 123 */       return canDo(credentials, actualTargetForAdminLoginAs(target), actualRightForAdminLoginAs(target), asAdmin);
/*     */     }
/*     */     
/* 126 */     return canDo(credentials, target, Rights.User.R_loginAs, asAdmin);
/*     */   }
/*     */   
/*     */ 
/*     */   public boolean canAccessAccount(Account credentials, Account target)
/*     */     throws ServiceException
/*     */   {
/* 133 */     return canAccessAccount(credentials, target, true);
/*     */   }
/*     */   
/*     */   public boolean canAccessCos(AuthToken at, Cos cos) throws ServiceException
/*     */   {
/* 138 */     return false;
/*     */   }
/*     */   
/*     */   public boolean canCreateGroup(AuthToken at, String groupEmail)
/*     */     throws ServiceException
/*     */   {
/* 144 */     Domain domain = Provisioning.getInstance().getDomainByEmailAddr(groupEmail);
/* 145 */     checkDomainStatus(domain);
/*     */     
/* 147 */     return canDo(at, domain, Rights.User.R_createDistList, true);
/*     */   }
/*     */   
/*     */   public boolean canCreateGroup(Account credentials, String groupEmail)
/*     */     throws ServiceException
/*     */   {
/* 153 */     Domain domain = Provisioning.getInstance().getDomainByEmailAddr(groupEmail);
/* 154 */     checkDomainStatus(domain);
/*     */     
/* 156 */     return canDo(credentials, domain, Rights.User.R_createDistList, true);
/*     */   }
/*     */   
/*     */   public boolean canAccessGroup(AuthToken at, Group group)
/*     */     throws ServiceException
/*     */   {
/* 162 */     checkDomainStatus(group);
/* 163 */     return canDo(at, group, Group.GroupOwner.GROUP_OWNER_RIGHT, true);
/*     */   }
/*     */   
/*     */   public boolean canAccessGroup(Account credentials, Group group, boolean asAdmin)
/*     */     throws ServiceException
/*     */   {
/* 169 */     checkDomainStatus(group);
/* 170 */     return canDo(credentials, group, Group.GroupOwner.GROUP_OWNER_RIGHT, asAdmin);
/*     */   }
/*     */   
/*     */   public boolean canAccessDomain(AuthToken at, String domainName) throws ServiceException
/*     */   {
/* 175 */     throw ServiceException.FAILURE("internal error", null);
/*     */   }
/*     */   
/*     */   public boolean canAccessDomain(AuthToken at, Domain domain) throws ServiceException
/*     */   {
/* 180 */     throw ServiceException.FAILURE("internal error", null);
/*     */   }
/*     */   
/*     */   public boolean canAccessEmail(AuthToken at, String email) throws ServiceException
/*     */   {
/* 185 */     throw ServiceException.FAILURE("internal error", null);
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */   public boolean canModifyMailQuota(AuthToken at, Account targetAccount, long mailQuota)
/*     */     throws ServiceException
/*     */   {
/* 196 */     return DomainAccessManager.canSetMailQuota(at, targetAccount, mailQuota);
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */   public boolean canDo(MailTarget grantee, Entry target, Right rightNeeded, boolean asAdmin)
/*     */   {
/*     */     try
/*     */     {
/* 205 */       return canDo(grantee, target, rightNeeded, asAdmin, null);
/*     */     } catch (ServiceException e) {
/* 207 */       ZimbraLog.acl.warn("right denied", e); }
/* 208 */     return false;
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */ 
/*     */   public boolean canDo(AuthToken grantee, Entry target, Right rightNeeded, boolean asAdmin)
/*     */   {
/*     */     try
/*     */     {
/* 218 */       return canDo(grantee, target, rightNeeded, asAdmin, null);
/*     */     } catch (ServiceException e) {
/* 220 */       ZimbraLog.acl.warn("right denied", e); }
/* 221 */     return false;
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */ 
/*     */   public boolean canDo(String granteeEmail, Entry target, Right rightNeeded, boolean asAdmin)
/*     */   {
/*     */     try
/*     */     {
/* 231 */       return canDo(granteeEmail, target, rightNeeded, asAdmin, null);
/*     */     } catch (ServiceException e) {
/* 233 */       ZimbraLog.acl.warn("right denied", e); }
/* 234 */     return false;
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */ 
/*     */   public boolean canDo(MailTarget grantee, Entry target, Right rightNeeded, boolean asAdmin, AccessManager.ViaGrant via)
/*     */     throws ServiceException
/*     */   {
/* 243 */     Boolean hardRulesResult = HardRules.checkHardRules(grantee, asAdmin, target, rightNeeded);
/* 244 */     if (hardRulesResult != null) {
/* 245 */       return hardRulesResult.booleanValue();
/*     */     }
/*     */     
/* 248 */     if (checkOverridingRules(grantee, asAdmin, target, rightNeeded)) {
/* 249 */       return true;
/*     */     }
/*     */     
/*     */ 
/* 253 */     if (asAdmin) {
/* 254 */       if (rightNeeded == AdminRight.PR_ALWAYS_ALLOW)
/* 255 */         return true;
/* 256 */       if (rightNeeded == AdminRight.PR_SYSTEM_ADMIN_ONLY) {
/* 257 */         return false;
/*     */       }
/*     */     }
/*     */     
/* 261 */     return checkPresetRight(grantee, target, rightNeeded, false, asAdmin, via);
/*     */   }
/*     */   
/*     */   public boolean canDo(AuthToken grantee, Entry target, Right rightNeeded, boolean asAdmin, AccessManager.ViaGrant via) throws ServiceException
/*     */   {
/*     */     try
/*     */     {
/* 268 */       Account granteeAcct = AccessControlUtil.authTokenToAccount(grantee, rightNeeded);
/* 269 */       if (granteeAcct != null) {
/* 270 */         return canDo(granteeAcct, target, rightNeeded, asAdmin, via);
/*     */       }
/*     */     } catch (ServiceException e) {
/* 273 */       ZimbraLog.acl.warn("ACL checking failed", e);
/*     */     }
/*     */     
/* 276 */     return false;
/*     */   }
/*     */   
/*     */   public boolean canDo(String granteeEmail, Entry target, Right rightNeeded, boolean asAdmin, AccessManager.ViaGrant via) throws ServiceException
/*     */   {
/*     */     try
/*     */     {
/* 283 */       MailTarget grantee = AccessControlUtil.emailAddrToMailTarget(granteeEmail, rightNeeded);
/* 284 */       if (grantee != null) {
/* 285 */         return canDo(grantee, target, rightNeeded, asAdmin, via);
/*     */       }
/*     */     } catch (ServiceException e) {
/* 288 */       ZimbraLog.acl.warn("ACL checking failed", e);
/*     */     }
/*     */     
/* 291 */     return false;
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */   public boolean canGetAttrs(Account grantee, Entry target, Set<String> attrsNeeded, boolean asAdmin)
/*     */     throws ServiceException
/*     */   {
/* 299 */     Boolean hardRulesResult = HardRules.checkHardRules(grantee, asAdmin, target, null);
/* 300 */     if (hardRulesResult != null) {
/* 301 */       return hardRulesResult.booleanValue();
/*     */     }
/*     */     
/* 304 */     return canGetAttrsInternal(grantee, target, attrsNeeded, false);
/*     */   }
/*     */   
/*     */   public boolean canGetAttrs(AuthToken grantee, Entry target, Set<String> attrs, boolean asAdmin)
/*     */     throws ServiceException
/*     */   {
/* 310 */     return canGetAttrs(grantee.getAccount(), target, attrs, asAdmin);
/*     */   }
/*     */   
/*     */   public AccessManager.AttrRightChecker getGetAttrsChecker(Account credentials, Entry target, boolean asAdmin)
/*     */     throws ServiceException
/*     */   {
/* 316 */     Boolean hardRulesResult = HardRules.checkHardRules(credentials, asAdmin, target, null);
/*     */     
/* 318 */     if (hardRulesResult == Boolean.TRUE)
/* 319 */       return AllowedAttrs.ALLOW_ALL_ATTRS();
/* 320 */     if (hardRulesResult == Boolean.FALSE) {
/* 321 */       return AllowedAttrs.DENY_ALL_ATTRS();
/*     */     }
/* 323 */     RightBearer.Grantee grantee = RightBearer.Grantee.getGrantee(credentials);
/* 324 */     AccessManager.AttrRightChecker rightChecker = CheckAttrRight.accessibleAttrs(grantee, target, AdminRight.PR_GET_ATTRS, false);
/* 325 */     return rightChecker;
/*     */   }
/*     */   
/*     */ 
/*     */   public AccessManager.AttrRightChecker getGetAttrsChecker(AuthToken credentials, Entry target, boolean asAdmin)
/*     */     throws ServiceException
/*     */   {
/* 332 */     return getGetAttrsChecker(credentials.getAccount(), target, asAdmin);
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */   public boolean canSetAttrs(Account grantee, Entry target, Set<String> attrsNeeded, boolean asAdmin)
/*     */     throws ServiceException
/*     */   {
/* 342 */     Boolean hardRulesResult = HardRules.checkHardRules(grantee, asAdmin, target, null);
/* 343 */     if (hardRulesResult != null) {
/* 344 */       return hardRulesResult.booleanValue();
/*     */     }
/*     */     
/* 347 */     return canSetAttrsInternal(grantee, target, attrsNeeded, false);
/*     */   }
/*     */   
/*     */   public boolean canSetAttrs(AuthToken grantee, Entry target, Set<String> attrs, boolean asAdmin)
/*     */     throws ServiceException
/*     */   {
/* 353 */     return canSetAttrs(grantee.getAccount(), target, attrs, asAdmin);
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */ 
/*     */   public boolean canSetAttrs(Account granteeAcct, Entry target, Map<String, Object> attrsNeeded, boolean asAdmin)
/*     */     throws ServiceException
/*     */   {
/* 362 */     Boolean hardRulesResult = HardRules.checkHardRules(granteeAcct, asAdmin, target, null);
/* 363 */     if (hardRulesResult != null) {
/* 364 */       return hardRulesResult.booleanValue();
/*     */     }
/*     */     
/* 367 */     RightBearer.Grantee grantee = RightBearer.Grantee.getGrantee(granteeAcct);
/* 368 */     AllowedAttrs allowedAttrs = CheckAttrRight.accessibleAttrs(grantee, target, AdminRight.PR_SET_ATTRS, false);
/* 369 */     return allowedAttrs.canSetAttrsWithinConstraints(grantee, target, attrsNeeded);
/*     */   }
/*     */   
/*     */   public boolean canSetAttrs(AuthToken grantee, Entry target, Map<String, Object> attrs, boolean asAdmin)
/*     */     throws ServiceException
/*     */   {
/* 375 */     return canSetAttrs(grantee.getAccount(), target, attrs, asAdmin);
/*     */   }
/*     */   
/*     */   public boolean canSetAttrsOnCreate(Account grantee, TargetType targetType, String entryName, Map<String, Object> attrs, boolean asAdmin)
/*     */     throws ServiceException
/*     */   {
/* 381 */     Key.DomainBy domainBy = null;
/* 382 */     String domainStr = null;
/* 383 */     Key.CosBy cosBy = null;
/* 384 */     String cosStr = null;
/*     */     
/* 386 */     if (targetType.isDomained()) {
/* 387 */       String[] parts = EmailUtil.getLocalPartAndDomain(entryName);
/* 388 */       if (parts == null) {
/* 389 */         throw ServiceException.INVALID_REQUEST("must be valid email address: " + entryName, null);
/*     */       }
/*     */       
/* 392 */       domainBy = Key.DomainBy.name;
/* 393 */       domainStr = parts[1];
/*     */     }
/*     */     
/* 396 */     if ((targetType == TargetType.account) || (targetType == TargetType.calresource))
/*     */     {
/* 398 */       cosStr = (String)attrs.get("zimbraCOSId");
/* 399 */       if (cosStr != null) {
/* 400 */         if (Provisioning.isUUID(cosStr)) {
/* 401 */           cosBy = Key.CosBy.id;
/*     */         } else {
/* 403 */           cosBy = Key.CosBy.name;
/*     */         }
/*     */       }
/*     */     }
/*     */     
/* 408 */     Entry target = PseudoTarget.createPseudoTarget(Provisioning.getInstance(), targetType, domainBy, domainStr, false, cosBy, cosStr, entryName);
/*     */     
/* 410 */     return canSetAttrs(grantee, target, attrs, asAdmin);
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */   public boolean canPerform(MailTarget grantee, Entry target, Right rightNeeded, boolean canDelegateNeeded, Map<String, Object> attrs, boolean asAdmin, AccessManager.ViaGrant viaGrant)
/*     */     throws ServiceException
/*     */   {
/* 420 */     Boolean hardRulesResult = HardRules.checkHardRules(grantee, asAdmin, target, rightNeeded);
/* 421 */     if (hardRulesResult != null) {
/* 422 */       return hardRulesResult.booleanValue();
/*     */     }
/*     */     
/* 425 */     if (checkOverridingRules(grantee, asAdmin, target, rightNeeded)) {
/* 426 */       return true;
/*     */     }
/*     */     
/* 429 */     boolean allowed = false;
/* 430 */     if (rightNeeded.isPresetRight()) {
/* 431 */       allowed = checkPresetRight(grantee, target, rightNeeded, canDelegateNeeded, asAdmin, viaGrant);
/* 432 */     } else if (rightNeeded.isAttrRight()) {
/* 433 */       if ((grantee instanceof Account)) {
/* 434 */         allowed = checkAttrRight((Account)grantee, target, (AttrRight)rightNeeded, canDelegateNeeded, attrs, asAdmin);
/*     */       }
/* 436 */     } else if (rightNeeded.isComboRight()) {
/* 437 */       ComboRight comboRight = (ComboRight)rightNeeded;
/*     */       
/* 439 */       for (Right right : comboRight.getAllRights())
/*     */       {
/* 441 */         if (!canPerform(grantee, target, right, canDelegateNeeded, attrs, asAdmin, null)) {
/* 442 */           return false;
/*     */         }
/*     */       }
/* 445 */       allowed = true;
/*     */     }
/*     */     
/* 448 */     return allowed;
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */   private boolean checkOverridingRules(MailTarget grantee, boolean asAdmin, Entry target, Right rightNeeded)
/*     */   {
/* 458 */     return checkForDomainAdminAssigningDLowner(grantee, asAdmin, target, rightNeeded);
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */   private boolean checkForDomainAdminAssigningDLowner(MailTarget grantee, boolean asAdmin, Entry target, Right rightNeeded)
/*     */   {
/* 475 */     if (!UserRights.R_ownDistList.equals(rightNeeded)) {
/* 476 */       return false;
/*     */     }
/* 478 */     if (((grantee instanceof Account)) && ((target instanceof Group))) {
/* 479 */       Account authedAcct = (Account)grantee;
/* 480 */       Group group = (Group)target;
/* 481 */       if (!AccessControlUtil.isDelegatedAdmin(authedAcct, asAdmin)) {
/* 482 */         return false;
/*     */       }
/*     */       try
/*     */       {
/* 486 */         String domainName = NameUtil.EmailAddress.getDomainNameFromEmail(group.getName());
/* 487 */         Domain domain = Provisioning.getInstance().get(Key.DomainBy.name, domainName);
/* 488 */         if (domain == null) {
/* 489 */           return false;
/*     */         }
/* 491 */         checkDomainStatus(domain);
/* 492 */         Right alternativeRight = group.isDynamic() ? Rights.Admin.R_createGroup : Rights.Admin.R_createDistributionList;
/* 493 */         if (canDo(authedAcct, domain, alternativeRight, true, null)) {
/* 494 */           ZimbraLog.acl.debug("Right [%s] ALLOWED to '%s' for Group '%s' because %s is allowed right [%s] for domain '%s'", new Object[] { rightNeeded.getName(), authedAcct.getName(), group.getName(), authedAcct.getName(), alternativeRight.getName(), domain.getName() });
/*     */           
/*     */ 
/*     */ 
/* 498 */           return true;
/*     */         }
/*     */       } catch (ServiceException e) {
/* 501 */         return false;
/*     */       }
/*     */     }
/* 504 */     return false;
/*     */   }
/*     */   
/*     */ 
/*     */   public boolean canPerform(AuthToken grantee, Entry target, Right rightNeeded, boolean canDelegate, Map<String, Object> attrs, boolean asAdmin, AccessManager.ViaGrant viaGrant)
/*     */     throws ServiceException
/*     */   {
/* 511 */     Account authedAcct = grantee.getAccount();
/* 512 */     return canPerform(authedAcct, target, rightNeeded, canDelegate, attrs, asAdmin, viaGrant);
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */   private boolean checkPresetRight(MailTarget grantee, Entry target, Right rightNeeded, boolean canDelegateNeeded, boolean asAdmin, AccessManager.ViaGrant via)
/*     */   {
/*     */     try
/*     */     {
/* 521 */       if (grantee == null) {
/* 522 */         if (canDelegateNeeded) {
/* 523 */           return false;
/*     */         }
/*     */         
/* 526 */         if (rightNeeded.isUserRight()) {
/* 527 */           grantee = GuestAccount.ANONYMOUS_ACCT;
/*     */         } else {
/* 529 */           return false;
/*     */         }
/*     */       }
/*     */       
/*     */ 
/*     */ 
/*     */ 
/* 536 */       if (rightNeeded.isUserRight()) {
/* 537 */         if ((target instanceof Account))
/*     */         {
/* 539 */           if (((Account)target).getId().equals(grantee.getId())) {
/* 540 */             return true;
/*     */           }
/*     */           
/*     */ 
/* 544 */           if ((rightNeeded != Rights.User.R_loginAs) && 
/* 545 */             (canAccessAccount((Account)grantee, (Account)target, asAdmin))) {
/* 546 */             return true;
/*     */           }
/*     */           
/*     */         }
/*     */         
/*     */ 
/*     */       }
/* 553 */       else if (target == null) {
/* 554 */         return false;
/*     */       }
/*     */       
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/* 562 */       Boolean result = null;
/* 563 */       if (target != null) {
/* 564 */         result = CheckPresetRight.check(grantee, target, rightNeeded, canDelegateNeeded, via);
/*     */       }
/*     */       
/* 567 */       if ((result != null) && (result.booleanValue())) {
/* 568 */         return result.booleanValue();
/*     */       }
/*     */       
/*     */ 
/* 572 */       if (canDelegateNeeded) {
/* 573 */         return false;
/*     */       }
/*     */       
/*     */ 
/* 577 */       CheckRightFallback fallback = rightNeeded.getFallback();
/* 578 */       if ((fallback != null) && ((grantee instanceof Account))) {
/* 579 */         Boolean fallbackResult = fallback.checkRight((Account)grantee, target, asAdmin);
/* 580 */         if (fallbackResult != null) {
/* 581 */           ZimbraLog.acl.debug("checkPresetRight fallback to: " + fallbackResult.booleanValue());
/* 582 */           return fallbackResult.booleanValue();
/*     */         }
/*     */       }
/*     */       
/* 586 */       if (result == null)
/*     */       {
/*     */ 
/* 589 */         Boolean defaultValue = rightNeeded.getDefault();
/* 590 */         if (defaultValue != null) {
/* 591 */           ZimbraLog.acl.debug("checkPresetRight default to: " + defaultValue.booleanValue());
/* 592 */           return defaultValue.booleanValue();
/*     */         }
/*     */       }
/*     */     }
/*     */     catch (ServiceException e)
/*     */     {
/* 598 */       ZimbraLog.acl.warn("ACL checking failed: grantee=" + grantee.getName() + ", target=" + target.getLabel() + ", right=" + rightNeeded.getName() + " => denied", e);
/*     */     }
/*     */     
/*     */ 
/*     */ 
/*     */ 
/* 604 */     return false;
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */   private boolean checkAttrRight(Account grantee, Entry target, AttrRight rightNeeded, boolean canDelegateNeeded, Map<String, Object> attrs, boolean asAdmin)
/*     */     throws ServiceException
/*     */   {
/* 612 */     TargetType targetType = TargetType.getTargetType(target);
/* 613 */     if (!CheckRight.rightApplicableOnTargetType(targetType, rightNeeded, canDelegateNeeded)) {
/* 614 */       return false;
/*     */     }
/*     */     
/* 617 */     boolean allowed = false;
/*     */     
/* 619 */     if (rightNeeded.getRightType() == Right.RightType.getAttrs) {
/* 620 */       allowed = checkAttrRight(grantee, target, rightNeeded, canDelegateNeeded);
/*     */     }
/* 622 */     else if ((attrs == null) || (attrs.isEmpty()))
/*     */     {
/* 624 */       allowed = checkAttrRight(grantee, target, rightNeeded, canDelegateNeeded);
/*     */ 
/*     */     }
/*     */     else
/*     */     {
/* 629 */       if (canDelegateNeeded) {
/* 630 */         throw ServiceException.FAILURE("internal error", null);
/*     */       }
/*     */       
/* 633 */       allowed = canSetAttrs(grantee, target, attrs, asAdmin);
/*     */     }
/*     */     
/*     */ 
/* 637 */     return allowed;
/*     */   }
/*     */   
/*     */   private boolean checkAttrRight(Account granteeAcct, Entry target, AttrRight rightNeeded, boolean canDelegateNeeded) throws ServiceException
/*     */   {
/* 642 */     AllowedAttrs allowedAttrs = CheckAttrRight.accessibleAttrs(RightBearer.Grantee.getGrantee(granteeAcct), target, rightNeeded, canDelegateNeeded);
/*     */     
/* 644 */     return allowedAttrs.canAccessAttrs(rightNeeded.getAttrs(), target);
/*     */   }
/*     */   
/*     */   private boolean canGetAttrsInternal(Account granteeAcct, Entry target, Set<String> attrsNeeded, boolean canDelegateNeeded) throws ServiceException
/*     */   {
/* 649 */     AllowedAttrs allowedAttrs = CheckAttrRight.accessibleAttrs(RightBearer.Grantee.getGrantee(granteeAcct), target, AdminRight.PR_GET_ATTRS, canDelegateNeeded);
/*     */     
/*     */ 
/*     */ 
/* 653 */     return allowedAttrs.canAccessAttrs(attrsNeeded, target);
/*     */   }
/*     */   
/*     */   private boolean canSetAttrsInternal(Account granteeAcct, Entry target, Set<String> attrsNeeded, boolean canDelegateNeeded) throws ServiceException
/*     */   {
/* 658 */     AllowedAttrs allowedAttrs = CheckAttrRight.accessibleAttrs(RightBearer.Grantee.getGrantee(granteeAcct), target, AdminRight.PR_SET_ATTRS, canDelegateNeeded);
/*     */     
/*     */ 
/* 661 */     return allowedAttrs.canAccessAttrs(attrsNeeded, target);
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */   public Map<Right, Set<Entry>> discoverUserRights(Account credentials, Set<Right> rights, boolean onMaster)
/*     */     throws ServiceException
/*     */   {
/* 671 */     DiscoverUserRights discoverRights = new DiscoverUserRights(credentials, rights, onMaster);
/* 672 */     return discoverRights.handle();
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */   public void getAllEffectiveRights(RightBearer rightBearer, boolean expandSetAttrs, boolean expandGetAttrs, RightCommand.AllEffectiveRights result)
/*     */     throws ServiceException
/*     */   {
/* 684 */     CollectAllEffectiveRights.getAllEffectiveRights(rightBearer, expandSetAttrs, expandGetAttrs, result);
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */   public void getEffectiveRights(RightBearer rightBearer, Entry target, boolean expandSetAttrs, boolean expandGetAttrs, RightCommand.EffectiveRights result)
/*     */     throws ServiceException
/*     */   {
/* 692 */     CollectEffectiveRights.getEffectiveRights(rightBearer, target, expandSetAttrs, expandGetAttrs, result);
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */ 
/*     */   public Set<TargetType> targetTypesForGrantSearch()
/*     */   {
/* 700 */     return new HashSet(Arrays.asList(TargetType.values()));
/*     */   }
/*     */ }


/* Location:              /home/mint/zimbrastore.jar!/com/zimbra/cs/account/accesscontrol/ACLAccessManager.class
 * Java compiler version: 7 (51.0)
 * JD-Core Version:       0.7.1
 */